Apache OpenOffice (AOO) Bugzilla – Issue 46283
Access to PKCS #11 module breaks Mozilla profile detection
Last modified: 2006-08-10 13:27:39 UTC
Environment: OpenOffice.org 1.9.89 SuSE Linux Pro 9.2 Aladdin eTokenPro modules pcsc-lite-1.1.1-248.1 When a PKCS #11 module is added to the Mozilla user profile in order to access digital certificates stored in a Smartcard or a USB token, OOo fails to recognize the user profile and throws the following message when File -> Digital Signatures... is invoked: "Digital signatures functionality could not be used, because no Mozilla user profile was found. Please check the Mozilla installation." Removing the PKCS #11 library from the Mozilla user profile resulted in OOo being able to use the certificate stored in the software security device to sign documents. I ran strace on soffice.bin and found the following lines in the output. Apparently OOo is able to locate the profile but for some reason is not able to use it. The library libetpkcs11.so.3.15.10 called is the Aladdin eTokenPro PKCS #11 library defined in the Mozilla security devices configuration. stat64("/home/salomon/.mozilla/Salomon/jsztfjdk.slt/secmod.db", {st_mode=S_IFREG|0600, st_size=16384, ...}) = 0 open("/home/salomon/.mozilla/Salomon/jsztfjdk.slt/secmod.db", O_RDONLY) = 48 fcntl64(48, F_SETFD, FD_CLOEXEC) = 0 read(48, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., 260) = 260 lseek(48, 4096, SEEK_SET) = 4096 read(48, "\2\0\354\17\222\17\210\17\222\17\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4096 lseek(48, 8192, SEEK_SET) = 8192 read(48, "\4\0\344\17j\rS\r\357\f\341\f\357\f\0\0\0\0\0\0\0\0\0\0"..., 4096) = 4096 close(48) ... stat64("/home/salomon/.mozilla/Salomon/jsztfjdk.slt/cert8.db", {st_mode=S_IFREG|0600, st_size=65536, ...}) = 0 open("/home/salomon/.mozilla/Salomon/jsztfjdk.slt/cert8.db", O_RDONLY) = 48 fcntl64(48, F_SETFD, FD_CLOEXEC) = 0 read(48, "\0\6\25a\0\0\0\2\0\0\4\322\0\0@\0\0\0\0\16\0\0\1\0\0\0"..., 260) = 260 lseek(48, 16384, SEEK_SET) = 16384 read(48, "\2\0\367?\364?\352?\364?\377\377\377\377\377\377\377\377"..., 16384) = 16384 stat64("/home/salomon/.mozilla/Salomon/jsztfjdk.slt/key3.db", {st_mode=S_IFREG|0600, st_size=16384, ...}) = 0 open("/home/salomon/.mozilla/Salomon/jsztfjdk.slt/key3.db", O_RDONLY) = 49 fcntl64(49, F_SETFD, FD_CLOEXEC) = 0 read(49, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., 260) = 260 lseek(49, 4096, SEEK_SET) = 4096 read(49, "\4\0\371\17\370\17\355\17\335\17\317\17\335\17\377\377"..., 4096) = 4096 open("/opt/mozilla/lib/libnssckbi.so", O_RDONLY) = 50 read(50, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360T\0"..., 512) = 512 fstat64(50, {st_mode=S_IFREG|0755, st_size=252563, ...}) = 0 old_mmap(NULL, 217020, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 50, 0) = 0x47a55000 madvise(0x47a55000, 217020, MADV_SEQUENTIAL|0x1) = 0 old_mmap(0x47a82000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 50, 0x2c000) = 0x47a82000 close(50) = 0 open("/usr/local/lib/libetpkcs11.so.3.15.10", O_RDONLY) = 50 read(50, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\250Q\0"..., 512) = 512 fstat64(50, {st_mode=S_IFREG|0755, st_size=477468, ...}) = 0 old_mmap(NULL, 484756, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 50, 0) = 0x47a8a000 madvise(0x47a8a000, 484756, MADV_SEQUENTIAL|0x1) = 0 old_mmap(0x47ae6000, 98304, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 50, 0x5c000) = 0x47ae6000 old_mmap(0x47afe000, 9620, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x47afe000 close(50)
atr->fst: one for you, please have look.
Hi Malte, please check this Issue. Frank
Any progress on this issue? If needed, I can provide the required modules for the USB token I'm using.
Tested on m91 on both Windows and Linux. On Windows, everything seems to work fine. OOo is able to use the certificate stored in the USB token. On Linux, however, the profile detection is broken when I'm using the token. Some additional info, on Linux, when the token is physically removed, OOo is able, once again, to access the user profile.
JL will take care :)
Great! If JL needs any module or a testcase I can provide it.
Forgot to change owner...
retargetted due to workload
With 2.0.0 out the door, are we ready to start work on this issue? I would like to remind that digital signatures are an important issue for government users here in Brazil.
Downloaded and tested 2.0.1 RC1. Despite the mention on the changelog of work having been done in xmlsecurity to address smartcard access the problem continues on Linux.
We will not finish this until 2.0.2 code freeze -> retargetting to 3.0
.
Still waiting and available for testing whenever you are ready.
retarget to 2.0.4
Cannot confirm this issue. However, the use of smartcards was broken so far. Please wait for the fix of i39382. I will set the resolution to "worksforme". In case this problem continues to exist then let me know.
jl, Could you confirm your environment (versions for OS, Firefox, OpenCT, PCSC-Lite, and OOo), please?
My test environment: Suse10 Firefox 1.0.6, Mozilla 1.7.11 Cardreader: Omnikey Cardman 3121 PC/SC driver for Cardman 3121: ifdokccid 2.6 Middleware: safesign-javacard 2.1.0-2, safesign-pkcs11 2.1.0-3
This breaks: Solaris 10/SPARC, Mozilla 1.7.2 How to reproduce: 1. Store a certificate in the Mozilla Software Security Device. 2. Verify that you can access this certificate from StarOffice. 3. Add /usr/lib/libpkcs11.so as additional security device to Mozilla. 4. Store a certificate there. 5. Select "File/Digital Signatures" from StarOffice. -> You will receive the following error message: "Digital signatures functionality could not be used, because no Mozilla user profile was found. Please check the Mozilla installation" 6. Remove the additional security device from Mozilla. 7. Access to your certificates from StarOffice will work once more.
Ok, this scenario "works". I will investigate.
Please verify. re-open issue and reassign to fst@openoffice.org
reassign to fst@openoffice.org
reset resolution to FIXED
Found fixed on cws jl34
found integrated on master m181